Most makers of IoT devices still don’t explain how personal info is used: Report

Makers of Internet-connected devices are still not being up front enough with buyers about the amount and handling of personal data being collected, says a report issued Thursday by privacy commissioners from 25 countries including Canada.

“Overall there was significant room for improvement with respect to the privacy communications of the Internet-connected devices swept,” Canadian privacy commissioner Daniel Therrien said in a release.

“With the proliferation of the Internet of Things (IoT), the activities, movements, behaviours and preferences of individuals are being measured, recorded and analyzed on an increasingly regular basis. As this technology expands, it is imperative that companies do a better job of explaining their personal information handling practices.”

Researchers found 59 per cent of the devices looked at didn’t adequately explain how personal information is collected, used and disclosed.

The report is the fourth annual Global Privacy Enforcement Network (GPEN) Privacy Sweep, which took place April 11-15 and looked at the privacy communications and practices of 314 Internet connected devices. It focused largely on how manufacturers communicate their personal information handling practices.

The aim is to increase public and business awareness of privacy rights, responsibilities and best practices, encourage compliance with privacy legislation; and enhance co-operation among privacy enforcement authorities. It also shows the commitment of privacy enforcement authorities to work together to promote privacy protection internationally.

Each authority could chose a different category of products, ranging from toys, health devices, household aids, smart meters, connected cars and smart TVs. Authorities could also looked at the privacy communications that came in the box with the devices and/or those provided by the companies online. They could also interact with the devices to assess how well privacy communications matched their experience using the product.

Therrien’s office assessed 21 health and wellness devices including fitness trackers, smart watches, smart scales, blood pressure monitors and other Internet-connected devices that could track everything from sleep habits to a person’s blood-alcohol level. Among other things they wondered why many devices requested access to certain sensitive data –for example, why a blood pressure monitor and thermometer asked to access location information. Canadian researchers were told by the thermometer manufacturer that access to location helps users find groups of other users of the product;

The authors emphasize that the sweep isn’t an investigation, nor was it intended to conclusively identify compliance issues or possible violations of privacy legislation.

Among the findings:

–The privacy communications for many health and wellness devices swept don’t adequately explain personal information collection, use and disclosure practices. The vast majority of health and wellness device companies offered a privacy policy. However, sweepers noted they were seldom specific to the device and that most were generic policies posted online by the company, which typically had multiple products and/or services under its name. Sweepers also reported that privacy communications seldom matched the user’s experience. Most privacy communications mentioned disclosure to third parties but sweepers were not always told to whom the personal information may be disclosed; –Many sweepers indicated they were not fully informed about how their personal information would be stored and about the safeguards that existed to protect it. Generally speaking, sweepers were left wanting for more information about the methods used to store and safeguard their information. The majority of Sweepers noted how companies did not indicate whether data would be encrypted when stored and/or transferred; –Sweepers had difficulty finding information about how to delete their data. Nearly half of Canadian sweepers could not find simple instructions on how to delete their data, nor could more than three-quarters of international sweepers. In follow-up responses to specific questions from the Therrien’s office, however, some companies were able to elaborate on their delete options;

–In a rare but welcome practice, sweepers noted several examples of enhanced notice provided to users in the form of “just-in-time” notifications that explained the purposes for the collection of certain data elements in real time—in other words, at the very moment the user was asked to input the information or make a key decision, for example, during the registration process; –Responses to customer questions about privacy were generally timely, clear and forthright.

Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.